iptables question with OpenVPN (tun0 to tun0 filtering)
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
iptables question with OpenVPN (tun0 to tun0 filtering)
I've got a (hopefully) simple question.
I've got an OpenVPN Server, running with various subnets, working perfectly.
What I'm trying to do is block traffic going from VPN Subnet A to VPN Subnet B. I've been able to restrict traffic to the local LAN hosting the VPN server using rules in the FORWARD chain. I can't seem to find a way to control what is routing through the tun0 interface, though.
It is almost as if the tunnel to tunnel routing isn't even going through OpenVPN.
I've set the default policy on FORWARD to DROP, and have been able to block access to the internal lan, but I can still ping client to client. I know just commenting out client-to-client in the server.conf for openvpn will work, but I want to have SOME client to client communication, just not all.
I've got an OpenVPN Server, running with various subnets, working perfectly.
What I'm trying to do is block traffic going from VPN Subnet A to VPN Subnet B. I've been able to restrict traffic to the local LAN hosting the VPN server using rules in the FORWARD chain. I can't seem to find a way to control what is routing through the tun0 interface, though.
It is almost as if the tunnel to tunnel routing isn't even going through OpenVPN.
I've set the default policy on FORWARD to DROP, and have been able to block access to the internal lan, but I can still ping client to client. I know just commenting out client-to-client in the server.conf for openvpn will work, but I want to have SOME client to client communication, just not all.
Any recommendations?
I am not sure what you mean.
You have a vpn server. 2 vpn clients (with a lan behind them) connect.
You should see the traffic on tun0 or similar interface. I would think you can control the traffic by using the tun0, tun1, ... interface in your iptables rules. Maybe it is useful to do a tcpdump to see what is passing with which ip addresses.
I found the problem. When you have that client-to-client directive enabled in the server.conf for openvpn, it actually doesn't route the traffic via the tun0 interface at all, so it never shows up in iptables (or tcpdump, for that matter). When I disabled the directive, then the traffic started getting routed via the interface, and I could control it with iptables.
I found the problem. When you have that client-to-client directive enabled in the server.conf for openvpn, it actually doesn't route the traffic via the tun0 interface at all, so it never shows up in iptables (or tcpdump, for that matter). When I disabled the directive, then the traffic started getting routed via the interface, and I could control it with iptables.
Interesting... will keep that in mind when using OpenVPN
please do mark your thread as being solved with the thread tools
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.